Quiz

Relevant For...

RSA is an encryption algorithm, used to securely transmit messages over the internet. It is based on the principle that it is easy to multiply large numbers, but factoring large numbers is very difficult. For example, it is easy to check that 31 and 37 multiply to 1147, but trying to find the factors of 1147 is a much longer process.

Contents

Overview

RSA is an example of public-key cryptography, which is illustrated by the following example: Suppose Alice wishes to send Bob a valuable diamond, but the jewel will be stolen if sent unsecured. Both Alice and Bob have a variety of padlocks, but they don't own the same ones, meaning that their keys cannot open the other's locks.

How did Alice send the diamond to Bob?

Solution:

Bob first sends Alice an unlocked padlock. Note that Bob would give anyone an unlocked padlock, as the only use for one is to send Bob something.

Alice adds Bob's lock and sends the package to Bob, and

Bob removes his lock and opens the package.

This example demonstrates the ideas behind public-key cryptography, though the concept is actually slightly different. In public-key cryptography. Alice encrypts her message using Bob's public key, which can only be decoded by Bob's private key.

In RSA, the public key is generated by multiplying two large prime numbersppp and qqq together, and the private key is generated through a different process involving ppp and qqq. A user can then distribute his public key pqpqpq, and anyone wishing to send the user a message would encrypt their message using the public key. For all practical purposes, even computers cannot factor large numbers into the product of two primes, in the same way that factoring a number like 414863 by hand is virtually impossible. However, ​multiplying​ two numbers is much less difficult, so a potential factorization can be verified quickly, as the following multiple-choice problem shows:

First, the receiver chooses two large prime numbersppp and qqq. Their product, n=pqn=pqn=pq, will be half of the public key.

The receiver calculates ϕ(pq)=(p−1)(q−1)\phi(pq)=(p-1)(q-1)ϕ(pq)=(p−1)(q−1) and chooses a number eeerelatively prime to ϕ(pq)\phi(pq)ϕ(pq). In practice, eee is often chosen to be 216+1=655372^{16}+1=65537216+1=65537, though it can be as small as 333 in some cases. eee will be the other half of the public key.

The receiver calculates the modular inverseddd of eee modulo ϕ(n)\phi(n)ϕ(n). In other words, de≡1(modϕ(n))de \equiv 1 \pmod{{\small\phi(n)}}de≡1(modϕ(n)). ddd is the private key.

The receiver distributes both parts of the public key: nnn and eee. ddd is kept secret.

Now that the public and private keys have been generated, they can be reused as often as wanted. To transmit a message, follow these steps:

First, the sender converts his message into a number mmm. One common conversion process uses the ASCII alphabet:

A

B

C

D

E

F

G

H

I

J

K

L

M

65

66

67

68

69

70

71

72

73

74

75

76

77

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

78

79

80

81

82

83

84

85

86

87

88

89

90

For example, the message "HELLO" would be encoded as 7269767679. It is important that m<nm<nm<n, as otherwise the message will be lost when taken modulo nnn, so if nnn is smaller than the message, it will be sent in pieces.

The sender then calculates c≡me(modn)c \equiv m^e \pmod{n}c≡me(modn). ccc is the ciphertext, or the encrypted message. Besides the public key, this is the only information an attacker will be able to steal.

The receiver translates mmm back into letters, retrieving the original message.

Note that step 3 makes use of Euler's theorem.

Euler's theorem tells us that mϕ(n)≡1(modn)m^{\phi(n)} \equiv 1 \pmod nmϕ(n)≡1(modn). From the receiver's step 3, we deliberately chose ddd so that de≡1(modϕ(n)).de \equiv 1 \pmod{{\small\phi(n)}}.de≡1(modϕ(n)). Note that such a ddd exists by the definition of eee. This means that there exists an integer kkk satisfying de=kϕ(n)+1de=k\phi(n)+1de=kϕ(n)+1. Then

The receiver distributes his public key: n=187n=187n=187 and e=3e=3e=3.

Now suppose the sender wanted to send the message "HELLO". Since nnn is so small, the sender will have to send his message character by character.

'H' is 72 in ASCII, so the message text is m=72m=72m=72.

The sender calculates me=723≡183(mod187)m^e=72^3 \equiv 183 \pmod{187}me=723≡183(mod187), making the ciphertext c=183c=183c=183. Again, this is the only information an attacker can get, since the attacker does not have the private key.

Applications and Vulnerabilites

Because of the great difficulty in breaking RSA, it is almost universally used anywhere encryption is required: password exchange, banking, online shopping, and even cable television. RSA is also used to ensure websites are legitimate since only the real website would have its private key. It therefore avoids man-in-the-middle attacks, in which an attacker intercepts a connection and shows the user a convincing fake, almost completely. All in all, a vulnerability in RSA would have catastrophic security consequences, so various attacks have been attempted.

The strength of RSA is measured in key size, which is the number of bits in n=pqn=pqn=pq. 512-bit (155 digits) RSA is no longer considered secure, as modern brute force attacks can extract private keys in just hours, and a similar attack was able to extract a 768-bit (232 digits) private key in 2010. As of 2016, 1024-bit (309 digits) keys are considered risky, and most newly generated keys are 4096-bit (1234 digits).

One common attack on RSA bypasses the algorithm altogether. A computer can quickly compute the greatest common divisor of two numbers using the Euclidean algorithm, so an attacker can run this algorithm on two public keys. If their greatest common divisor is not 1, then the attacker has found a prime number dividing both keys, therefore breaking two keys at the same time. For example, suppose two public keys were 239149 and 166381. It is difficult to factor either of these two numbers by hand, but the Euclidean algorithm can be done by hand, revealing that the two numbers have a greatest common divisor of 379.

983121713611439

You have looked up several people's public keys, some of which are below. Some of them are vulnerable, because they are divisible by the same prime. What prime is that?

Other attacks are similar, taking advantage of poor random number generation. If ppp and qqq are too close together, eee is so small that me<nm^e<nme<n, or the private key is too small, then an attacker can efficiently determine the private key.

Bob's public key is
n=6,865,653,949,821,276,403,125,067 and e=3.n=6,865,653,949,821,276,403,125,067\ \ \text{and}\ \ e=3.n=6,865,653,949,821,276,403,125,067ande=3.
Alice sends the ciphertext
c=309,717,089,812,744,704c=309,717,089,812,744,704c=309,717,089,812,744,704
to Bob. What was Alice's message, converted to ASCII?

(You may assume Alice's message is an English word written in capital letters.)

Another class of attacks focuses on hardware. By manipulating the power levels of a computer and causing power faults, Michigan researchers were able to decode a 1024-bit private key using only standard hardware[1]. Similarly, by studying the sounds a computer made while operating, Israeli researchers were able to extract a 4096-bit private key in under an hour[2].

In 1994, MIT mathematician Peter Shor developed a theoretical algorithm for quantum computers that factors numbers exponentially faster than current algorithms do. However, since only small quantum computers have been built, as of 2016 the algorithm has only managed to factor 16-bit numbers (the largest to date is 56153).

References

[1] University of Michigan. Fault based attack of RSA Authentication. Retrieved January 12th, 2016 from http://web.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf